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Abstract 


The purpose of this document is to make the specifications of the 
cryptographic algorithms defined by the Russian national standards 
GOST R 34.10-2012 and GOST R 34.11-2012 available to the Internet 
community for their implementation in the cryptographic protocols 
based on the accompanying algorithms. 


These specifications define the pseudorandom functions, the key 
agreement algorithm based on the Diffie-Hellman algorithm and a hash 
function, the parameters of elliptic curves, the key derivation 
functions, and the key export functions. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This is a contribution to the RFC Series, independently of any other 
RFC stream. The RFC Editor has chosen to publish this document at 
its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by 
the RFC Editor are not a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc7836. 


Smyshlyaev, et al. Informational [Page 1] 


RFC 7836 


Cryptographic Algorithms for GOST 


Copyright Notice 


March 2016 


Copyright (c) 2016 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust's Legal 
Provisions Relating to IETF Documents 


(http://trustee.ietf.org/license-info) 
publication of this document. 
carefully, 


to this document. 


Table of Contents 


in effect on the date of 
Please review these documents 
as they describe your rights and restrictions with respect 


1. Introduction 3 
2. Conventions Used in This Document 3 
3. Basic Terms, Definitions, and Notations 3 
4. Algorithm Descriptions 6 
4.1.  HMAC Functions 6 
4.2. Pseudorandom Putcttons 7 
4.3. VKO Algorithms for Key Agreement $ 8 
4.4. The Key Derivation Function KDF TREE | GOSTR3411 “2012 | 256 . 10 
4.5. The Key Derivation Function KDF GOSTR3411 2012 256 11 
4.6. Key Wrap and Key Unwrap 11 
5. The Parameters of Elliptic Curves 12 
5.1. Canonical Form i 13 
5.2. Twisted Edwards Form 14 
6. Security Considerations 15 
7. References ES 16 
7.1. Normative Baterünces 16 
T.2. Informative References 17 
Appendix A. Values of the Parameter Sets 18 
A.1. Canonical Form Parameters 18 
A.2. Twisted Edwards Form Parameters 20 
Appendix B. Test Examples 22 
Appendix C. GOST 28147-89 Parameter Set 30 
Acknowledgments 30 
Authors' Addresses 30 


Smyshlyaev, 


et al. Informational 


[Page 2] 


RFC 7836 Cryptographic Algorithms for GOST March 2016 


Les 


Introduction 


The accompanying algorithms are intended for the implementation of 
cryptographic protocols. This memo contains a description of the 
accompanying algorithms based on the Russian national standards GOST 
R 34.10-2012 [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. 
The English versions of these standards can be found in [RFC7091] and 
[RFC6986]; the English version of the encryption standard GOST 
28147-89 [GOST28147-89] (which is used in the key export functions) 
can be found in [RFC5830]. 


The specifications of algorithms and parameters proposed in this memo 
are provided on the basis of experience in the development of the 
cryptographic protocols, as described in [RFC4357], [RFC4490], and 
[RFC4491]. 


This memo describes the pseudorandom functions, the key agreement 
algorithm based on the Diffie-Hellman algorithm and a hash function, 
the parameters of elliptic curves, the key derivation functions, and 
the key export functions necessary to ensure interoperability of 
security protocols that make use of the Russian cryptographic 
standards GOST R 34.10-2012 [GOST3410-2012] digital signature 
algorithm and GOST R 34.11-2012 [GOST3411-2012] cryptographic hash 
function. 


Conventions Used in This Document 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 


"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


Basic Terms, Definitions, and Notations 


This document uses the following terms and definitions for the sets 
and operations on the elements of these sets: 


(xor) Exclusive-or of two binary vectors of the same length. 

Vn The finite vector space over GF(2) of dimension n, n >= 0, 
with the (xor) operation. For n = 0, the V O0 space consists 
of a single empty element of size 0. 
If U is an element of V n, then U = (u (n-1), u (n-2), ..., 


u 1, u 0), where u i in (0, 1}. 
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The set of byte vectors of size r, r >= 0, for r = 0 the 

V (8, r) set consists of a single empty element of size 0. 
If W is an element of V (8, r), r > 0, then W = (w^O, w^1, 
..., W^(r-1)), where w^0, w^l, ..., w^(r-1) are elements of 
V 8. 


Bit representation 


The bit representation of the element W = (w^O, w^l, ..., 
w^(r-1)) of V (8, r) is an element (w (8r-1), w (8r-2), ..., 
w 1, w O) of V (8*r), where w^O = (w 7, w 6, ..., w0), 
w^l = (w 15, w 14, ..., w 8), ..., w^(r-1 (w (8r-1), 

( 


( ) = 
8r-2), ..., w_(8r-8)) are elements of V_8. 


Byte representation 
If n is a multiple of 8, r = n/8, then the byte 


representation of the element W = (w_(n-1), w_(n-2), ..., 
w O) of V_n is a byte vector (w^O, w^l, ..., w^(r-1)) of 
V (8, r), where w^0 = (w 7, w 6, ..., w 0), w^l = (w 15, 
w 14, ..., w 8), ..., w^(r-1) = (w (8r-1), w (8r-2), ..., 
w (8r-8)) are elements of V 8. 

A|B Concatenation of byte vectors A and B, i.e., if A in 
V (8, r1), B in V (8, r2), A = (a^O, a^1, ..., a^(rl-1)) and 
B = (b^O0, b^l, ..., b^t(r2-1)), then A|B ectat0, ca lg. weezy 
a^(rl-1), b^O, b^l1, ..., b^(r2-1)) is an element of V (8, 
rl+r2). 

K (key) An arbitrary element of V_n. If K in V_n, then its size (in 
bits) is equal to n, where n can be an arbitrary natural 
number. 
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This memo uses the following abbreviations and symbols: 


4p--------- 4--------------------------------------------------------- t 
| Symbols | Meaning | 
+--------- 4--------------------------------------------------------- + 
| H_256 | GOST R 34.11-2012 hash function with 256-bit output | 
| H_512 | GOST R 34.11-2012 hash function with 512-bit output | 
| HMAC | Hashed-based Message Authentication Code. A function | 
| | for calculating a message authentication code, based on | 
| | a hash function in accordance with [RFC2104] 

| PRF | A pseudorandom function, i.e., a transformation that | 
| | allows generation of a pseudorandom sequence of bytes | 
| KDF | A key derivation function, i.e., a transformation that | 
| | allows keys and keying material to be derived from the | 
| | root key and additional input using a pseudorandom | 
| | function | 

VKO A key agreement algorithm based on the Diffie-Hellman 
algorithm and a hash function 
+--------—- 4--------------------------------------------------------- + 


To generate a byte sequence of the size r with functions that give a 
longer output, the output is truncated to the first r bytes. This 
remark applies to the following functions: 


o the functions described in Section 4.2; 
o KDF_TREE_GOSTR3411_2012_256 described in Section 4.4; 
o KDF GOSTR3411 2012 256 described in Section 4.5. 


Hereinafter, all data are provided in byte representation unless 
otherwise specified. 


If a function is defined outside this document (e.g., H 256) and its 
definition requires arguments in bit representation, it is assumed 
that the bit representations of the arguments are formed immediately 
before the calculation of the function (in particular, immediately 
after the application of the operation (D to the byte representation 
of the arguments). 


If the output of another function defined outside of this document is 


used as an argument of the functions defined below and it has the bit 
representation, then it is assumed that an output MUST have a length 
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that is a multiple of 8 and that it will be translated into the byte 
representation in advance. 


When a point on an elliptic curve is given to an input of a hash 
function, affine coordinates for short Weierstrass form are used (see 
Section 5): an x coordinate value is fed first, a y coordinate value 
is fed second, both in little-endian format. 


4. Algorithm Descriptions 
4.1.  HMAC Functions 


This section defines the HMAC transformations based on the GOST R 
34.11-2012 [GOST3411-2012] algorithm. 


4.1.1.  HMAC GOSTR3411 2012 256 


This HMAC transformation is based on the GOST R 34.11-2012 
[GOST3411-2012] hash function with 256-bit output. The object 
identifier of this transformation is shown below: 


id-tc26-hmac-gost-3411-12-256::-2 (iso(1) member-body (2) ru(643) 
rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- 
3411-12-256(1)}. 


This algorithm uses H_256 as a hash function for HMAC, described in 
[RFC2104]. The method of forming the values of ipad and opad is also 
Specified in [RFC2104]. The size of HMAC GOSTR3411 2012 256 output 
is equal to 32 bytes, the block size of the iterative procedure for 
the H 256 compression function is equal to 64 bytes (in the notation 
of [RFC2104], L = 32 and B = 64, respectively). 


4.1.2.  HMAC GOSTR3411 2012 512 


This HMAC transformation is based on the GOST R 34.11-2012 
[GOST3411-2012] hash function with 512-bit output. The object 
identifier of this transformation is shown below: 


id-tc26-hmac-gost-3411-12-512::-2 (iso(1) member-body (2) ru(643) 
rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- 
3411-12-512 (2) F: 


This algorithm uses H 512 as a hash function for HMAC, described in 
[RFC2104]. The method of forming the values of ipad and opad is also 
Specified in [RFC2104]. The size of HMAC GOSTR3411 2012 512 output 
is equal to 64 bytes, the block size of the iterative procedure for 
the H 512 compression function is equal to 64 bytes (in the notation 
of [RFC2104], L = 64 and B = 64, respectively). 
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4.2.  Pseudorandom Functions 


This section defines four HMAC-based PRF transformations recommended 
for usage. Two of them are designed for the Transport Layer Security 
(TLS) protocol and two are designed for the IPsec protocol. 


4.2.1. PRFs for the TLS Protocol 
4.2.1.1. PRF TLS GOSTR3411. 2012 256 


This is the transformation providing the pseudorandom function for 
the TLS protocol (1.0 and higher versions) in accordance with GOST R 
34.11-2012 [GOST3411-2012]. It uses the P GOSTR3411. 2012 256 
function that is similar to the P hash function defined in Section 5 
of [RFC5246], where the HMAC GOSTR3411 2012 256 function (defined in 
Section 4.1.1 of this document) is used as the HMAC hash function. 


PRF TLS GOSTR3411,. 2012 256 (secret, label, seed) = 
= P GOSTR3411 2012 256 (secret, label | seed). 


Label and seed values MUST be assigned by a protocol, their lengths 
SHOULD be fixed by a protocol in order to avoid possible collisions. 


4.2.1.2.  PRF TLS GOSTR3411, 2012. 512 


This is the transformation providing the pseudorandom function for 
the TLS protocol (1.0 and higher versions) in accordance with GOST R 
34.11-2012 [GOST3411-2012]. It uses the P GOSTR3411 2012 512 
function that is similar to the P hash function defined in Section 5 
of [RFC5246], where the HMAC GOSTR3411 2012 512 function (defined in 
Section 4.1.2 of this document) is used as the HMAC hash function. 


PRF TLS GOSTR3411,. 2012 512 (secret, label, seed) = 
= P GOSTR3411 2012 512 (secret, label | seed). 


Label and seed values MUST be assigned by a protocol, their lengths 
SHOULD be fixed by a protocol in order to avoid possible collisions. 


4.2.2.  PRFs for the IKEv2 Protocol Based on GOST R 34.11-2012 


The specification for the Internet Key Exchange protocol version 2 
(IKEv2) [RFC7296] defines the usage of PRFs in various parts of the 
protocol for the purposes of generating and authenticating keying 
material. 


IKEv2 has no default PRF. This document specifies that 


HMAC GOSTR3411 2012 256 may be used as the "prf" function in the 
"prf+" function for the IKEv2 protocol 
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(PRF IPSEC PRFPLUS GOSTR3411 2012 256). Also, this document 
specifies that HMAC GOSTR3411 2012 512 may be used as the "prf" 
function in the "prf+" function for the IKEv2 protocol 

(PRF IPSEC PRFPLUS GOSTR3411 2012 512). 


4.3. VKO Algorithms for Key Agreement 


This section specifies the key agreement algorithms based on GOST R 
34.10-2012 [GOST3410-2012]. 


4.3.1. VKO GOSTR3410, 2012 256 


The VKO GOSTR3410 2012 256 transformation is used for agreement of 
256-bit keys and is based on the 256-bit version of GOST R 34.11-2012 
[GOST3411-2012]. This algorithm can be applied for a key agreement 
using GOST R 34.10-2012 [GOST3410-2012] with 256-bit or 512-bit 
private keys. 


The algorithm is designed to produce an encryption key or a keying 
material of size 256 bits to be used in various cryptographic 
protocols. A key or a keying material KEK VKO (x, y, UKM) is 
produced from the private key x of one side, the public key y*P of 
the opposite side and the User Keying Material (UKM) value. 


The algorithm can be used for static and ephemeral keys with the 
public key size n >= 512 bits including the case where one side uses 
a static key and the other uses an ephemeral one. 


The UKM parameter is optional (the default UKM - 1) and can take any 
integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero 
UKM of an arbitrary size that does not exceed n/2 bits. If at least 
one of the parties uses static keys, the RECOMMENDED length of UKM is 
64 bits or more. 


KEK VKO (x, y, UKM) is calculated using the formulas: 

KEK VKO (x, y, UKM) = H 256 (K (x, y, UKM)), 

K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), 
where m and q are the parameters of an elliptic curve defined in the 
GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve 
points group order, q is an order of a cyclic subgroup), P is a non- 
zero point of the subgroup; P is defined by a protocol. 
This algorithm is defined similar to the one specified in Section 5.2 


of [RFC4357], but applies the hash function H 256 instead of the hash 
function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411"). 
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In addition, K(x, y, UKM) is calculated with public key size n >= 512 
bits and UKM has a size up to n/2 bits. 


4.3.2. VKO GOSTR3410 2012 512 


The VKO GOSTR3410 2012 512 transformation is used for agreement of 
512-bit keys and is based on the 512-bit version of GOST R 34.11-2012 
[GOST3411-2012]. This algorithm can be applied for a key agreement 
using GOST R 34.10-2012 [GOST3410-2012] with 512-bit private keys. 


The algorithm is designed to produce an encryption key or a keying 
material of size 512 bits to be used in various cryptographic 
protocols. A key or a keying material KEK VKO (x, y, UKM) is 
produced from the private key x of one side, the public key y*P of 
the opposite side and the UKM value, considered as an integer. 


The algorithm can be used for static and ephemeral keys with the 
public key size n >= 1024 bits including the case where one side uses 
a static key and the other uses an ephemeral one. 


The UKM parameter is optional (the default UKM - 1) and can take any 
integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero 
UKM of an arbitrary size that does not exceed n/2 bits. If at least 
one of the parties uses static keys, the RECOMMENDED length of UKM is 
128 bits or more. 


KEK VKO (x, y, UKM) is calculated using the formulas: 
KEK VKO (x, y, UKM) = H 512 (K (x, y, UKM)), 
K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), 


where m and q are the parameters of an elliptic curve defined in the 
GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve 
points group order, q is an order of a cyclic subgroup), P is a non- 
zero point of the subgroup; P is defined by a protocol. 


This algorithm is defined similar to the one specified in Section 5.2 
of [RFC4357], but applies the hash function H 512 instead of the hash 
function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411"). 
In addition, K(x, y, UKM) is calculated with public key size n >= 
1024 bits and UKM has a size up to n/2 bits. 
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4.4. The Key Derivation Function KDF TREE GOSTR3411 2012 256 


The key derivation function KDF TREE GOSTR3411 2012 256 based on the 
HMAC GOSTR3411 2012 256 function is given by: 


KDF TREE GOSTR3411 2012 256 (K in, label, seed, R) = K(1) | K(2) | 
K(3) | K) |..., 
K(i) = HMAC GOSTR3411 2012 256 (K in, [i] b | label | 0x00 | seed 


| IL]. b), i >= 1, 
where: 
K in Derivation key. 
label, seed 


The parameters that MUST be assigned by a protocol; their 
lengths SHOULD be fixed by a protocol. 


R A fixed external parameter, with possible values of 1, 2, 3, 
or 4. 
i Iteration counter. 


[i] b Byte representation of the iteration counter (in the network 
byte order); the number of bytes in the representation [i] b 
is equal to R (no more than 4 bytes). 


L The required size (in bits) of the generated keying material 
(an integer, not exceeding 256* (2^(8*R)-1)). 


[L] b Byte representation of L, in network byte order (variable 
length: no leading zero bytes added). 


The key derivation function KDF TREE GOSTR3411 2012 256 is intended 
for generating a keying material of size L, not exceeding 
256*(2^(8*R)-1) bits, and utilizing general principles of the input 
and output for the key derivation function outlined in Section 5.1 of 


NIST SP 800-108 [NISTSP800-108]. The HMAC GOSTR3411 2012 256 
algorithm described in Section 4.1.1 is selected as a pseudorandom 
function. 


Each key derived from the keying material formed using the derivation 
key K in (0-level key) may be a 1-level derivation key and may be 
used to generate a new keying material. The keying material derived 
from the first level derivation key can be split down into the second 
level derivation keys. The application of this procedure leads to 
the construction of the key tree with the root key and the formation 
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of the keying material to the hierarchy of the levels, as described 
in Section 6 of NIST SP 800-108 [NISTSP800-108]. The partitioning 
procedure for keying material at each level is defined in accordance 
with a specific protocol. 


4.5. The Key Derivation Function KDF GOSTR3411 2012 256 


The KDF GOSTR3411 2012 256 function is equivalent to the function 
KDF TREE GOSTR3411 2012 256, when R = 1, L = 256, and is given by: 


KDF GOSTR3411. 2012 256 (K in, label, seed) = 
HMAC GOSTR3411 2012 256 (K in, 0x01 | label | 0x00 | seed | 0x01 | 


0x00), 
where: 
K in Derivation key. 


label, seed 


The parameters that MUST be assigned by a protocol; their 
lengths SHOULD be fixed by a protocol. 


4.6. Key Wrap and Key Unwrap 


Wrapped representation of a secret key K (256-bit GOST 28147-89 
[GOST28147-89] key, 256-bit or 512-bit GOST R 34.10-2012 
[GOST3410-2012] private key) is formed as follows by using a given 
export key K e (GOST 28147-89 [GOST28147-89] key) and a random seed 


vector: 
1. Generate a random seed vector from 8 up to 16 bytes. 
2. With the key derivation function, using an export key K_e as a 


derivation key, produce a key KEK e (Ke, seed), where: 
KEK e (Ke, seed) = KDF GOSTR3411. 2012 256 (Ke, label, seed), 


where the KDF GOSTR3411 2012 256 function (see Section 4.5) is 
used as a key derivation function for the fixed label value 


label = (0x26 | OxBD | OxB8 | 0x78). 


3. GOST 28147-89 [GOST28147-89] Message Authentication Code (MAC) 
value (4-byte) for the data K and the key KEK e (Ke, seed) is 
calculated; the initialization vector (IV) in this case is equal 
to the first 8 bytes of seed. The resulting value is denoted as 
CEK MAC. 
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4. The key K is encrypted with the GOST 28147-89 [GOST28147-89] 
algorithm in the Electronic Codebook (ECB) mode with the key 
KEK e (Ke, seed). The result is denoted as CEK ENC. 


5. The wrapped representation of the key is (seed | CEK_ENC | 
CEK MAC). 


The value of key K is restored from the wrapped representation of the 
key and the export key K e as follows: 


1. Obtain the seed, CEK ENC and CEK MAC values from the wrapped 
representation of the key. 


2. With the key derivation function, using the export key K eas a 
derivation key, produce a key KEK e(K e, seed), where: 


KEK e (Ke, seed) = KDF GOSTR3411,. 2012 256 (Ke, label, seed), 


where the KDF GOSTR3411 2012 256 function (see Section 4.5) is 
used as a key derivation function for the fixed label value 


label - (0x26 | OxBD | OxB8 | 0x78). 


3. The CEK ENC field is decrypted with the GOST 28147-89 
[GOST28147-89] algorithm in the Electronic Codebook (ECB) mode 
with the key KEK e(K e, seed). The unwrapped key K is assumed to 
be equal to the result of decryption. 


4. GOST 28147-89 [GOST28147-89] MAC value (4-byte) for the data K 
and the key KEK e(K e, seed) is calculated; the initialization 
vector (IV) in this case is equal to the first 8 bytes of seed. 
If the result is not equal to CEK MAC, an error is returned. 


The GOST 28147-89 [GOST28147-89] algorithm is used with the parameter 
set defined in Appendix C of this document. 


5. The Parameters of Elliptic Curves 


This section defines the elliptic curves parameters and object 
identifiers that are RECOMMENDED for usage with the signature and 
verification algorithms of the digital signature in accordance with 
the GOST R 34.10-2012 [GOST3410-2012] standard and with the key 
agreement algorithms VKO GOSTR3410 2012 256 and 

VKO GOSTR3410 2012 512. 


This document does not negate the use of other parameters of elliptic 
curves. 
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5.1. Canonical Form 


This section defines the elliptic curves parameters of the GOST R 
34.10-2012 [GOST3410-2012] standard for the case of elliptic curves 
with prime 512-bit moduli in canonical (short Weierstrass) form, that 
is given by the following equation defined in GOST R 34.10-2012 
[GOST3410-2012]: 


y^2 = x^3 + ax + b (mod p). 


In case of elliptic curves with 256-bit prime moduli, the parameters 
defined in [RFC4357] are proposed for use. 


5.1.1. Parameters and Object Identifiers 


The parameters for each elliptic curve are represented by the 
following values, which are defined in GOST R 34.10-2012 
[GOST3410-2012]: 


p the characteristic of the underlying prime field; 


a, b the coefficients of the equation of the elliptic curve in the 
canonical form; 


m the elliptic curve group order; 
q the elliptic curve subgroup order; 


(x, y) the coordinates of the point P (generator of the subgroup of 
order q) of the elliptic curve in the canonical form. 


Both sets of the parameters are presented as structures of the form: 


SEQUENCE { 

INTEGER, 
INTEGER, 
INTEGER, 
INTEGER, 
INTEGER, 
INTEGER, 
INTEGER 


~K XxXxa3 0w 


The parameter sets have the following object identifiers: 
1.  id-tc26-gost-3410-12-512-paramSetA::- {iso(1) member-body (2) 


ru(643) rosstandart(7) tc26(1) constants(2) sign-constants (1) 
gost-3410-12-512-constants (2) paramSetA(1) }; 
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225 


akt 


2.  id-tc26-gost-3410-12-512-paramSetB::- {iso(1) member-body (2) 
ru(643) rosstandart(7) tc26(1) constants(2) sign-constants (1) 
gost-3410-12-512-constants (2) paramSetB(2)}. 


The corresponding values of the parameter sets can be found in 
Appendix A.1. 


Twisted Edwards Form 


This section defines the elliptic curves parameters and object 
identifiers of the GOST R 34.10-2012 [GOST3410-2012] standard for the 
case of elliptic curves that have a representation in the twisted 
Edwards form with prime 256-bit and 512-bit moduli. 


A twisted Edwards curve E over a finite prime field Fp, p > 3, is an 
elliptic curve defined by the equation: 


e*u^2 + v^2 = 1 + d*u^2*v^2 (mod p), 
where e, d are in F p, ed(e-d) != 0. 
A twisted Edwards curve has an equivalent representation in the short 
Weierstrass form defined by parameters a, b. The parameters a, b, e, 


and d are related as follows: 


a= s^2 - 3*t^2 (mod p), 
b = 2*t^3 - t*s^2 (mod p), 


where: 
S = (e- d)/A (mod p), 
t = (e + d)/6 (mod p). 


Coordinate transformations are defined as follows: 


(u,v) --» (x,y) = (s(1 + v)/(1- v) + t, s(1 + v)/((1 - v)u)), 
(x,y) --» (u,v) = ((x - t)/y, (x - t - s)/(x - t + s)). 
1. Parameters and Object Identifiers 


The parameters for each elliptic curve are represented by the 
following values, which are defined in GOST R 34.10-2012 
[GOST3410-2012]: 


p The characteristic of the underlying prime field. 


a, b The coefficients of the equation of the elliptic curve in the 
canonical form. 
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e, d 
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The coefficients of the equation of the elliptic curve in the 
twisted Edwards form. 
The elliptic curve group order. 
The elliptic curve subgroup order. 


The coordinates of the point P (generator of the subgroup of 
order q) of the elliptic curve in the canonical form. 


The coordinates of the point P (generator of the subgroup of 
order q) of the elliptic curve in the twisted Edwards form. 


Both sets of the parameters are presented as ASN structures of the 


form: 


SEQUENCE { 


~seX X¥QBQA0O090'S 


NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER, 
NTEGER 


HHHHHHHHHHH 


The parameter sets have the following object identifiers: 


1.  id-tc26-gost-3410-2012-256-paramSetA ::= {iso(1) member-body (2) 
ru(643) rosstandart (7) tc26(1) constants(2) sign-constants (1) 
gost—3410-12-256-constants(1) paramSetA(1) }; 


2.  id-tc26-gost-3410-2012-512-paramSetC ::= (iso(1) member-body (2) 
ru(643) rosstandart(7) tc26(1) constants(2) sign-constants (1) 
gost-3410-12-512-constants (2) paramSetC(3)]. 


The corresponding values of the parameter sets can be found in 
Appendix A.2. 


6. Security Considerations 


This entire document is about security considerations. 
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Appendix A. Values of the Parameter Sets 
A.1. Canonical Form Parameters 
Parameter set: id-tc26-gost-3410-12-512-paramSetA 


SEQUENCE 
{ 
OBJECT IDENTIFIER 
id-tc26-gost-3410-12-512-paramSetA 
SEQUENCE 
{ 
INTEGER 
00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
F F 


FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 
C7 

INTEGER 

00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 
C4 

INTEGER 


00 E8 C2 50 5D E 
DA 34 B8 25 74 7 
65 EE 3C BO 90 F 
DD 86 2E F9 DA E 


D FC 86 DD C1 BD OB 2B 66 67 F1 
6 1C BO E8 79 BD 08 1C FD OB 62 
3 0D 27 61 4C B4 57 40 10 DA 90 
B EE 47 61 50 31 90 78 5A 71 C7 


60 

INTEGER 

00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PE CEE ER RE EF-EF PERE PR RB. EB BE IE EF FECEE 
FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 
60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 
75 

INTEGER 


00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 
60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 
75 

INTEGER 

03 
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INTEGER 
75 03 CF 
CE 5E 1C 
DF 16 26 
80 28 FE 


} 


Parameter set: 


SEQUENCE 
{ 


Cryptographic Algorithms 


E8 7A 83 6A E3 A6 
93 AC F1 AB C1 77 
BE 4F DO 36 E9 3D 
5F C2 35 F5 B8 89 


1B 88 16 
80 64 FD 
75 E6 A5 
A5 89 CB 


for GOST 


E2 54 50 
CB EF A9 
OE 3A 41 
52 15 F2 


id-tc26-gost-3410-12-512-paramSetB 


OBJECT IDENTIFIER 
id-tc26-gost-3410-12-512-paramSetB 


SEQUENCE 
{ 

INTEGER 
00 80 00 
00 00 00 
00 00 00 
00 00 00 
6F 

INTEGER 
00 80 00 
00 00 00 
00 00 00 
00 00 00 
6C 

INTEGER 
68 7D 1B 
B9 7C 7D 
3E 96 5D 
50 F7 8B 

INTEGER 
00 80 00 
00 00 00 
01 49 A1 
FA 8B 99 
BD 

INTEGER 
00 80 00 
00 00 00 
01 49 A1 
FA 8B 99 
BD 

INTEGER 
02 
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00 00 00 00 00 00 
00 00 00 00 00 00 
00 00 00 00 00 00 
00 00 00 00 00 00 


00 00 00 00 00 00 
00 00 00 00 00 00 
00 00 00 00 00 00 
00 00 00 00 00 00 


45 9D C8 41 45 7E 
61 4A F1 38 BC BF 
2D B1 41 6D 21 7F 
EE 1F A3 10 6E FB 


00 00 00 00 00 00 
00 00 00 00 00 00 
EC 14 25 65 A5 45 
67 12 10 1B EA OE 


00 00 00 00 00 00 
00 00 00 00 00 00 
EC 14 25 65 A5 45 
67 12 10 1B EA OE 


00 00 00 
00 00 00 
00 00 00 
00 00 00 


00 00 00 
00 00 00 
00 00 00 
00 00 00 


3E 06 CF 
85 DC 80 
8B 27 6F 
8C CB C7 


00 00 00 
00 00 00 
AC FD B7 
C6 34 6C 


00 00 00 
00 00 00 
AC FD B7 
C6 34 6C 
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00 00 00 
00 00 00 
00 00 00 
00 00 00 


00 00 00 
00 00 00 
00 00 00 
00 00 00 


6F 5E 25 
6C 4B 28 
AD 1A B6 
C5 14 01 


00 00 00 
00 00 00 
7B D9 D4 
54 37 4F 


00 00 00 
00 00 00 
7B D9 D4 
54 37 4F 


E6 
21 
E9 
A4 


00 
00 
00 
00 


00 
00 
00 
00 


17 
9F 
9C 
16 


00 
00 
OC 
25 


00 
00 
0c 
25 
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OF 
35 
88 
BD 


FF 
FF 


35 
7E 


D4 
95 


18 
BF 


00 
D8 
00 


oc 


12 
2D 
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INTEGER 
1A 8F 7E DA 38 9B 09 4C 2C 07 1E 36 47 A8 94 
3C 12 3B 69 75 78 C2 13 BE 6D D9 E6 C8 EC 73 
DC B2 28 FD 1E DF 4A 39 15 2C BC AA F8 CO 39 
28 04 10 55 F9 4C EE EC 7E 21 34 07 80 FE 41 
} 
} 
A.2. Twisted Edwards Form Parameters 
Parameter set: id-tc26-gost-3410-2012-256-paramSetA 
SEQUENCE 
{ 
OBJECT IDENTIFIER 
id-tc26-gost-3410-2012-256-paramSetA 
SEQUENCE 
{ 
INTEGER 
00 FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
97 
INTEGER 
00 C2 17 3F 15 13 98 16 73 AF 48 92 C2 30 
7C E2 5E 20 13 BF 95 AA 33 B2 2C 65 6F 27 
35 
INTEGER 
29 5F 9B AE 74 28 ED 9C CC 20 E7 C3 59 A9 
22 FC CD 91 08 E1 7B F7 BA 93 37 A6 F8 AE 
INTEGER 
01 
INTEGER 
06 05 F6 B7 C1 83 FA 81 57 8B C3 9C FA D5 
2B 9D F6 28 97 00 9A F7 E5 22 C3 2D 6D C7 
INTEGER 
01 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 3F 63 37 7F 21 ED 98 D7 04 56 BD 55 BO 
9c 
INTEGER 
40 00 00 00 00 00 00 00 00 00 00 00 00 00 
OF D8 CD DF C8 7B 66 35 C1 15 AF 55 6C 36 
INTEGER 
00 91 E3 84 43 A5 E8 2C OD 88 09 23 42 57 
BB 65 8B 91 96 93 2E 02 C7 8B 25 82 FE 74 
28 
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FD 


A2 
73 


1A 
13 


13 
FB 
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INTEGER 

32 87 94 23 AB 1A 03 75 89 57 86 C4 BB 46 E9 56 
5F DE 0B 53 44 76 67 40 AF 26 8A DB 32 32 2E 5C 
INTEGER 

OD 

INTEGER 

60 CA 1E 32 AA 47 5B 34 84 88 C3 8F AB 07 64 9C 
E7 EF 8D BE 87 F2 2E 81 F9 2B 25 92 DB A3 00 E7 


} 
Parameter set: id-tc26-gost-3410-2012-512-paramSetC 


SEQUENCE 
{ 


OBJECT IDENTIFIER 

id-tc26-gost-3410-2012-512-paramSetC 

SEQUENCE 

{ 
INTEGER 
00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PE FEE EE -EMPERE OEY Bes Be EE -EFEFEF EP EEF -EE FE EF 
EFE BP OPE FE FE EPE PEFR FEO BE PE ER EE EE EE EF 
FE FEE FE EF FE EE EFE EF EE EF FE EFF FF EF FE ED 


C7 

INTEGER 

00 DC 92 03 E5 14 A7 21 87 54 85 A5 29 D2 C7 22 
FB 18 7B C8 98 OE B8 66 64 4D E4 1C 68 El 43 06 
45 46 E8 61 CO E2 C9 ED D9 2A DE 71 F4 6F CF 50 
FF 2A D9 7F 95 1F DA 9F 2A 2E B6 54 6F 39 68 9B 
D3 

INTEGER 

00 B4 C4 EE 28 CE BC 6C 2C 8A C1 29 52 CF 37 F1 
6A C7 EF B6 A9 F6 9F 4B 57 FF DA 2E 4F OD E5 AD 
EO 38 CB C2 FF F7 19 D2 C1 8D EO 28 4B 8B FE F3 


B5 2B 8C C7 A5 F5 BF OA 3C 8D 23 19 A5 31 25 57 
El 

INTEGER 

01 

INTEGER 

00 9E 4F 5D 8C 01 7D 8D 9F 13 A5 CF 3C DF 5B FE 
4D AB 40 2D 54 19 8E 31 EB DE 28 AO 62 10 50 43 
9C A6 B3 9E 0A 51 5C 06 B3 04 E2 CE 43 E7 9E 36 
9E 91 AO CF C2 BC 2A 22 B4 CA 30 2D BB 33 EE 75 
50 
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0 FF 
F FF 
F 26 
3 23 


FF 
FF 
9 8C 


T 
0 
F 
F 
B 
B 
T 
3 
F 
C 
C8 ED 


4 
NTEGER 


NTEGER 


FF 
FF 
33 
B6 


FF 
FF 
DB 
A9 


INTEGER 


00 E2 
DE 22 
3A A2 
10 c6 
48 
INTEGE 


INTEGE 
46 9A 
OF DF 
22 DD 
90 56 


} 


Appendix B. 


E3 
95 
72 
FB 


R 

CE 
39 
8E 
F7 


R 

E 
BO 
4B 
22 
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FF 
FF 
6E 
A7 


FF 
FF 
A4 
E7 


1E 
B7 
72 
85 


40 
80 
2D 
26 


9D 
DO 
65 
CO 


1F 
Ea: 
oc 
4B 


Test Examples 


FF 
FF 
94 
9D 


FF 
FF 
06 
69 


c2 
CB 
AE 
7E 


FF 
FF 
1A 
A6 


FF 
FF 
AB 
Al 


3D 
AE 
60 
AE 


FF 
FF 
AC 
84 


FF 
FF 
00 
26 


FF 
FF 
01 
9A 


FF 
FF 
4C 
94 


FF 
FF 
30 
51 


FF 
FF 
33 
62 


E 


BD 


EB 


FF 
FF 
CE 
88 


FF 
FF 
A9 


3C 


E2 


FO 
2B 


21 
F2 
AA 


D3 
A7 


85 
B9 


5B 
65 
E3 
85 


B1 
94 
E 
2B 


5E 
27 
02 
4B 


36 
89 


1) HMAC_GOSTR3411_2012_256 


Key K: 


00 01 02 03 04 
10 11 12 13 14 


Tes 


01 26 bd b8 78 


05 06 07 08 
15 l6-I7.18 


00 af 21 43 
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09 0a Ob Oc Od Oe OF 
19. tao tb- 1c ld. le 1f 


41 45 65 63 78 01 00 


97 


B8 
37 
1E 
AE 


E1 
8D 
EE 
E7 


99 
8B 
D2 
07 


6B 
9A 
BF 
60 


C5 


AB 
8C 
EF 
DO 


99 
56 
06 
03 


BC 


BC 
10 
32 
39 


59 
IX 
8c 
03 
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2B 
7F 
5D 
EE 


FF 
FF 
FD 
BD 


FF 
FF 
51 
47 


CE 
07 
3D 
28 


F5 
3D 
58 
9A 


77 
7B 
13 
T3 


Roop Hj nj 
Hj o Hj Hj 


AO 
38 
9 
00 


FF 
FF 
1D 
CO 


FF 
FF 
50 
23 


3E 
EA 
ED 
95 


1C 
90 
42 
DD 


FF 
EE 
40 
8F 


EE 
FF 
2C 
ED 


F5 
04 
36 
01 


B8 
FF 
3B 
C4 


2A 
95 
FO 
3D 
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HMAC GOSTR3411 2012 256 (K, T) value: 


al aa 5f 7d e4 02 d7 b3 d3 23 £2 99 1c 8d 45 34 
01 31 37 01 Oa 83 75 4f dO af 6d 7c d4 92 2e d9 


2) HMAC GOSTR3411 2012 512 
Key K: 


00 01 02 03 04 05 06 07 08 09 0a Ob Oc Od Oe OF 
I0 I1 12 13 14 15'16.t7-T18-19.1aà tb: Le ld Ie lf 


T: 

01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00 
HMAC GOSTR3411 2012 512 (K, T) value: 

a5 9b ab 22 ec ae 19 c6 5f bd e6 e5 £4 e9 f5 d8 
54 9d 31 f0 37 £9 df 9b 90 55 00 el 71 92 3a 77 
3d 5f 15 30 f2 ed 7e 96 4c b2 ee dc 29 e9 ad 2f 
3a fe 93 b2 81 4f 79 £5 00 Of fc 03 66 c2 51 e6 
3) PRF TLS GOSTR3411. 2012 256 


Key K: 


00 01 02 03 04 05 06 07 08 09 0a Ob Oc Od Oe OF 
10:11. 12 13. 14 15 16 17 18.19 la 1b 1c 1d 1e 1f 


Seed: 


18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 
Ob 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 Ya 


Label: 
11 22 33 44 55 
Output T1: 


ff 09 66 4a 44 74 58 65 94 4f 83 9e bb 48 96 5f 
15 44 ff 1c c8 e8 f1 6f 24 7e e5 f8 a9 eb e9 7f 
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Output T2: 


c4 e3 c7 90 Oe 46 ca d3 db 6a 01 64 30 63 04 Oe 
c6 7f c0 fd 5c d9 £9 04 65 23 52 37 bd ff 2c 02 


4) PRF TLS GOSTR3411 2012 512 
Key K: 


00 01 02 03 04 05 06 07 08 09 0a Ob Oc Od Oe OF 
LO: TA 12 13 14 15'16.t7-T18-19.1a Tb: Le ld Ie If 


Seed: 


18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 
Ob 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 Ya 


Label: 

11 22 33 44 55 

Output T1: 

f3 51 87 a3 dc 96 55 11 3a Oe 84 dO 6f d7 52 6c 
5f cl fb de cl a0 e4 67 3d d6 d7 9d Ob 92 0e 65 
ad 1b c4 7b bO 83 b3 85 1c b7 cd 8e 7e 6a 91 la 
62 6c £0 2b 29 e9 e4 a5 8e d7 66 a4 49 a7 29 6d 
Output T2: 

e6 la 7a 26 c4 dl ca ee cf d8 0c ca 65 c7 1f Of 
88 cl £8 22 c0 e8 c0 ad 94 9d 03 fe el 39 57 9f 
72 ba Oc 3d 32 c5 £9 54 f1 cc cd 54 08 1f c7 44 
02 78 cb al fe 7b 7a 17 a9 86 fd ff 5b dl 5d 1f 
5) PRF IPSEC PRFPLUS GOSTR3411. 2012 256 

Key K: 


c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 
2c ce a9 5f a6 48 67 05 82 c0 54 cO ef 36 c2 21 


Data S: 


01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 
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Output T1: 


2d e5 ee 84 el 3d 7b e5 36 16 67 39 13 37 Oa bO 
54 c0 74 b7 9b 69 a8 a8 46 82 a9 £0 4f ec d5 87 


Output T2: 


29 £6 0d da 45 7b f2 19 aa 2e £9 5d 7a 59 be 95 
4d e0 08 £4 a5 Od 50 4d bd b6 90 be 68 06 01 53 


6) PRF IPSEC PRFPLUS GOSTR3411 2012 512 
Key K: 


c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 
2c ce a9 5f a6 48 67 05 82 c0 54 cO ef 36 c2 21 


Data S: 

01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 
Output T1: 

5d a6 71 43 a5 f1 2a 6d 6e 47 42 59 6f 39 24 3f 
cc 61 57 45 91 5b 32 59 10 06 ff 78 a2 08 63 d5 
f8 8e 4a fc 17 fb be 70 b9 50 95 73 db 00 5e 96 
26 36 98 46 cb 86 19 99 71 6c 16 5d dO 6a 15 85 
Output T2: 

48 34 49 5a 43 74 6c b5 3f Oa ba 3b c4 6e bc £8 
77 3c a6 4a d3 43 cl 22 ee 2a 57 75 57 03 81 57 
ee 9c 38 8d 96 ef 71 d5 8b e5 cl ef al af a9 5e 
be 83 e3 9d 00 el 9a 5d 03 dc d6 Oa 01 be a8 e3 


7) VKO GOSTR3410 2012 256 with 256-bit output on the GOST 
R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA 


UKM value: 

1d 80 60 3c 85 44 c7 27 

Private key x of A: 

c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 £5 Of ca 
c7 26 £4 67 08 38 4b 8d 45 83 04 96 2d 71 47 £8 


c2 db 41 ce £2 2c 90 b1 02 £2 96 84 04 f9 b9 be 
6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67 
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Public key x*P 


aa 
54 
a3 
24 
91 
1b 
46 
64 


bo 
ba 
cc 
31 
46 
d8 
Tf 
01 


ed 
78 
ba 
f6 
13 
75 
92 
b9 


a4 
30 
61 
c8 
a3 
8e 
47 
7f 


Private key 


48 
cf 
80 
bb 


c8 
ea 
14 
cc 


59 
73 
07 
cc 


£7 
9b 
Ob 
8c 


ab 
70 
92 
97 
07 
87 
2d 
89 


y of part B: 


b6 
la 
44 
06 


Public key y*P 


19 
a4 
fE 
39 
04 
d9 
b5 
2d 


2f 
2a 
a9 
5f, 
88 
00 
98 
TT 


el 
3d 
74 
ce 
3b 
6d 
bf 
e4 


83 
bc 
ed 
le 
41 
da 
13 
3a 


b9 
66 
a7 
12 
4c 
17 
2a 
36 


KEK VKO value: 


c9 a9 a7 73 20 
2c ce a9 5f a6 


8) 


of 


ff 
eb 
e4 
eb 
4e 
8c 
40 
fd 


fl 
18 
91 
ed 


of 


TX 
ea 
c8 
91 
9b 
6c 
22 
2a 


e2 
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A 


21 
al 
64 
lb 
36 
9d 
ea 
be 


1:5 
cO 
85 
d8 


B 


3a 
31 
63 
75 
59 
e4 
8a 
bO 


cc 


(curve 


20 
Oc 
e6 
3c 
3a 
b1 
92 
0b 


85 
d4 
90 
bf 


8d 
b9 
e5 
Oc 
ed 
14 
£9 
5e 


88 
66 
b4 
5b 


(curve 


07 
78 
£4 
e8 
2e 
8c 
45 
22 


55 


72 
38 
95 
76 
c4 
39 
£7 
ad 


9e 


48 67 05 82 


point (X, 


18 79 9f 
ab b2 53 
bc b6 de 
GELS: 27 
b2 04 d3 
03 72 1b 
95 8c Of 
46 e4 a4 


7c c0 5e 
22 93 ef 
b9 96 ac 
da 92 a5 


point (X, 


53567 2€ 
b6 5f a3 
4d 11 47 
d1 32 e9 
dc 84 82 
le 3f 97 
20 1a ba 
40 28 £7 


d7 2d ce 
c0 54 cO 
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Y)): 


b9 a8 55 66 
ec 56 dc f5 
al 37 79 2f 
bl ad cO a7 
8d 35 63 97 
48 00 2d 38 
fa 4c 93 75 
63 1c db 5a 


c6 ef 13 90 
63 b7 9e 3b 
fe a4 ed fb 
13 92 d0 db 


87 35 de 2e 
25:23 Gd 56 
fl £2 b2 5c 
4e d5 a6 51 
6f 07 dO b6 
d1 02 e0 3b 
08 fc 52 4a 
5b de 3b 79 


6f 47 e2 19 
ef 36 c2 21 


VKO GOSTR3410 2012 512 with 512-bit output on the GOST 
R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA 


UKM value: 


1d 80 60 3c 


Private key 


c9 
c7 
c2 
6d 


90 
26 
db 
47 


ec 
f4 
41 
c7 
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d9 
67 
ce 
96 


et 


85 44 c7 


x of A: 


72 
08 
f2 
92 


al. 


EC 
38 
2c 
d8 


e8 
4b 
90 
18 


27 


4e 
8d 
bl 
26 


c4 
45 
02 
b3 


db 02 27 
83 04 96 
£2 96 84 
2b 8d ac 


Informational 


78 £5 Of ca 
2d 71 47 £8 
04 £9 b9 be 
a4 3c b6 67 
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Public key x*P of A (curve point (X, Y)): 


aa bO ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66 
54 ba 78 30 70 eb al Oc b9 ab b2 53 ec 56 dc f5 
d3 cc ba 61 92 e4 64 e6 e5 bc b6 de al 37 79 2f 
24 31 f6 c8 97 eb 1b 3c Oc cl 43 27 bl ad c0 a7 
91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97 
1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38 
46 1f 92 47 2d 40 ea 92 £9 95 8c Of fa 4c 93 75 
64 01 b9 7f 89 fd be Ob 5e 46 e4 a4 63 1c db 5a 


Private key y of B: 


48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90 
cf ea 73 9b la 18 cO d4 66 22 93 ef 63 b7 Ye 3b 
80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb 
bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db 


Public key y*P of B (curve point (X, Y)): 


19 2f el 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e 
a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e 
fc a9 74 ed a7 c8 63 £4 95 4d 11 47 f1 f2 b2 5c 
39 5f ce le 12 91 75 e8 76 dl 32 e9 4e d5 a6 51 
04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 dO b6 
d9 00 6d da 17 6c e4 8c 39 le 3f 97 dl 02 eO 3b 
b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a 
2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79 


KEK VKO value: 

79 £0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 

ad aa d8 45 97 a0 d2 05 b5 Oe 3e 17 19 £9 7b fa 

7e el d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 

f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df 

9) Key derivation function KDF GOSTR3411 2012 256 


K in key: 


00 01 02 03 04 05 06 07 08 09 0a Ob Oc Od Oe OF 
I0 Ll 12.13.14. 15 l6. t7 I9 19- 1a 1b.1c 1d 1e lf 


Label: 


26 bd b8 78 
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Seed: 


af 21 
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43 41 45 65 63 78 


KDF(K in, label, seed) value: 


al aa 
01-31 


10) 


5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 
37 01 0a 83 75 4f dO af 6d 7c d4 92 2e dg 


Key derivation function KDF_TREE_GOSTR3411_2012_256 


Output size of L: 


512 


K_in key: 


00 01 
10 11 


Label: 


26 bd 


Seed: 


af 21 


K1: 


22 b6 
86 d3 


07 4c 
e9 37 


02 03 04 05 06 07 08 09 Oa Ob Oc Od Oe OF 
I2.13 14-15 I6 17.18 19. 1a lib 1C rda le 1f 


b8 78 


43 41 45 65 63 78 


83 78 45 c6 be f6 5e a7 16 72 b2 65 83 10 
c7 6a eb e6 da e9 1c ad 51 d8 3f 79 dl 6b 


93 30 59 9d 7f 8d 71 2f ca 54 39 2f 4d dd 
51 20 6b 35 84 c8 £4 3f Ye 6d c5 15 31 £9 
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11) Key wrap and unwrap with the szOID Gost28147 89 TC26 Z ParamSet 
parameters 
Key K e: 


00 01 02 03 04 05 06 07 08 09 0a Ob Oc Od Oe OF 
I0.11. 12 13 14 15.16 Ly 18 19 la db. 1c Id 16 1f 


Key K: 


20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 


Seed: 

af 21 43 41 45 65 63 78 
Label: 

26 bd b8 78 


KEK e(seed) = KDF GOSTR3411. 2012 256(K e, label, seed): 


al aa 5f 7d e4 02 d7 b3 d3 23 £2 99 1c 8d 45 34 
01 31 37 01 Oa 83 75 4f dO af 6d 7c d4 92 2e d9 


CEK MAC: 
be 33 £0 52 
CEK ENC: 


d1 55 47 £8 ee 85 12 1b c8 7d 4b 10 27 d2 60 27 
ec c0 71 bb a6 e7 2f 3f ec 6f 62 Of 56 83 4c 5a 
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Appendix C.  GOST 28147-89 Parameter Set 
The parameter set has the following object identifier: 
id-tc26-gost-28147-param-Z::-7 (iso(1) member-body(2) ru(643) 
rosstandart(7) tc26(1) constants(2) cipher-constants (5) 
gost-28147-constants(1) param-Z(1)) 
The parameter set is defined below: 
x Kl(x) K2(x) K3(x) K4(x) K5(x) K6(x) K7(x) K8(x) 
o y c 6 b c 7 5 8 1 
1 | 4 8 3 8 f d e 7 
3 n] 6 2 5 2 5 f 2 e 
3 2 3 8 1 a 6 5 d 
4 a 9 2 d 8 9 6 0 
Be |) 8 a f 4 1 2 9 5 
6 | b 5 a f 6 c 1 8 
SS ud 9 c d 6 d a c 3 
8 | e 1 e 7 0 b f 4 
9 8 e 1 0 9 7 4 f 
a d 4 7 a 3 8 b a 
b | 7 7 4 5 e 1 0 6 
c | 0 b c 3 b 4 d 9 
a | 3 d 9 e 4 3 a c 
e | f 0 6 9 2 e 3 b 
Ë| 1 f 0 b c 0 7 2 
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